According to “techworld”, a new technique that allows attackers to hide encrypted malicious Android applications inside images could be used to evade detection by antivirus products and possibly Google Play's own malware scanner.

The attack was developed by Axelle Apvrille, a researcher at Fortinet, and reverse engineer Ange Albertini, who presented their proof-of-concept at the Black Hat Europe security conference in Amsterdam Thursday.

It's based on a technique devised by Albertini dubbed AngeCryption that allows controlling both the input and the output of a file encryption operation using the Advanced Encryption Standard (AES) by taking advantage of the properties of some file formats that allow files to remain valid despite having junk data appended to them.

AngeCryption, which was implemented as a Python script available for download on Google Code, allows the user to choose an input and an output file and makes the necessary modifications so that when the input file is encrypted with a specified key using AES in cipher-block chaining (CBC) mode, it produces the desired output file.

Apvrille and Albertini took the idea further and applied it to APK (Android application package) files. They created a proof-of-concept wrapping application that simply displays a PNG image of Star Wars character Anakin Skywalker. However, the app can also decrypt the image with a particular key in order to produce a second APK file that it can then install.

In the researchers' demonstration, the APK hidden inside the image was designed to display a picture of Darth Vader, but a real attacker could use a malicious application instead to steal text messages, photos, contacts, or other data.

The attack works on Android 4.4.2, the latest version of the OS, but the Android security team has been notified and is developing a fix, Apvrille said.

The situation with the distribution of Android security updates is better than it was three years ago, but this vulnerability will probably remain active on many phones for one or two years, Apvrille said.